How To Phish Employees

Almost all of the IT pros we talk to at KnowBe4 agree that end-users are their number one headache when it comes to cybersecurity and managing that problem continues to be a big challenge. Social engineering is by far the easiest way for hackers to gain access, either tailgating through the side door or phishing employees via email and other attack methods.

It is now a must to protect against phishing threats by educating end users. The IT teams that get the approval from management to do this get great results. Apart from budget issues, sometimes there is resistance at the C-level to sending phishing tests to all employees, often driven by departments like Legal or HR who claim "we should not trick our employees". IT in those situations often run into office politics that prevent the phishing project from getting started.

However, today you have to consider a new approach to securing your IT assets. You can’t afford to simply respond to attacks that WILL happen if nothing is done. Instead, you should take a proactive approach that effectively prevents your organization from being a target for cybercriminals.

Here is some ammo to get approval, and more important, air cover from the top of your organization:

First of all, let's talk about the "tricking our employees" issue. If we don't do it, you can bet the bad guys will. Prevention is key. We do not want to wind up like Yahoo, Target, JP Morgan or Home Depot to name just a few and see our organization on the front page with an extremely expensive data breach or worse.

The next big issue is that most small and medium business owners think that they are not a target for cybercrime, but this couldn’t be further from the truth. Cybercriminals choose small and medium sized businesses (SMBs) more often than larger organizations as their prime attack targets.The reason is that many SMBs lack the expertise, budget and time to really defend their network like the bigger companies do. You are the low-hanging fruit and attacks can easily be automated.

New strains of ransomware have a strong potential to cause users sitting on their hands for days because all their files are encrypted and backups failed. Can you really afford that?

Wall Street Journal reported that the Target, Home Depot and Sony hacking incidents grabbed the attention of executives everywhere, bringing home the reality that cybersecurity has become a top risk consideration in the board room. These days getting air cover from the Board is much easier.

Employees are not stupid, they are just trained in another field than IT. Once it has been communicated by the CEO that this is a company-wide ongoing training initiative which includes regular phishing tests and needs everyone's cooperation to be cyberaware, after stepping through the training almost always the employees say: "Wow, I did not know it was that bad on the web." If you frame this as part and parcel of safe Internet usage, there is mostly very positive feedback from end-users.

So, here are the steps we recommend:

Use the above five points to get the OK to do a free phishing security test and get a baseline of how high the employee phish-prone percentage is. Usually an unpleasant surprise but great to get budget.

Find out how affordable this is for your organization. This is normally the pleasant surprise and essentially a no-brainer.

Start the campaign with support from your CEO or another C-level executive and provide a deadline and incentives for the initial security awareness training.

Schedule frequent simulated phishing tests, about once a month, and make it a game where you compare the percentages of different employee groups (this is supported by the KnowBe4 Admin console).

Report regularly to both employees and executives about the positive results and show everyone graphs of the progress you’re making as an organization.

New-school security awareness training could even improve the status of the IT department and make end-users understand much better what massive challenges you are faced with on a day-to-day basis. Good luck!